Method and apparatus for managing access to electronic content

ABSTRACT

According to at least one example embodiment, a method and corresponding content protection server for managing access to electronic content comprise retrieving access policies, or permissions, associated with a content item from a corresponding content sharing application, or rights issuer. The access policies are translated into a format recognizable by a digital rights management (DRM) engine, and forwarded to the DRM engine. The translated access policies are then provided by the DRM engine to a client device where the translated access policies are enforced in managing any potential access to the content item.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.14/044,765 (INTR-0018-U01), filed Oct. 2, 2013, which is herebyincorporated by reference in its entirety.

BACKGROUND OF THE INVENTION

Digital content sharing is a convenient and easy way to exchangeinformation between people, organizations, companies, or any otherentities. However, sharing content over digital media, such as theInternet, may expose the content to untrusted users. Many digital rightsmanagement (DRM) technologies provide solutions to limit access toshared content to trusted users.

SUMMARY OF THE INVENTION

A typical digital rights management (DRM) system includes a rightsissuer configured to create and provide access policies, or permissions,associated with corresponding content items, and a DRM engine thattypically encrypts content items and manages users and access policies.The typical DRM system also includes DRM clients, or agents, forenforcing access policies, associated with content items, within aclient device. Within each DRM system, the corresponding rights issuer,DRM engine, and DRM agents are expected to comply with proprietary, orstandardized, specification requirements that are specific to the DRMsystem. As such, DRM systems employing distinct DRM technologies are notinteroperable.

Also, once access policies are provided to a DRM client device,management of the access policies is handled by the DRM engine.Dynamically modifying the rights policies once they are delivered to aclient device is either impossible, or calls for an active role by therights issuer to synchronize with the DRM engine and/or the DRM agentsin order to revoke previous access policies and provide new ones.

In the following embodiments of a DRM system with a middle layerenabling support of, and interoperability between, different DRMtechnologies are presented by applicants. In the DRM system presented,DRM engines do not perform encryption, user management, nor accesspolicies' management. Each time, a protected content item is opened on aclient device, corresponding access policies are requested from acorresponding DRM engine. The DRM engine forwards the request to acontent protection server. The content protection server retrieves theaccess policies from the rights issuer, and provides the retrievedaccess policies to the DRM engine in a format readable by the DRMengine. The access policies are then provided to the DRM client, oragent, to be enforced in the client device. As such, the rights issueris enabled to dynamically modify access policies at any time. At eachattempt to access the content item, the most recent access policies areretrieved from the rights issuer and enforced at the client device.

According to at least one example embodiment, a method and correspondingcontent protection server for managing access to electronic contentcomprise retrieving access policies, or permissions, associated with acontent item from a corresponding content sharing application, or rightsissuer. The access policies are translated into a format recognizable bya digital rights management (DRM) engine, and forwarded to the DRMengine. The translated access policies are then provided by the DRMengine to a client device where the translated access policies areenforced in managing any potential access to the content item.

In order to retrieve the access policies, the content protection serverreceives information identifying the content item from the clientdevice. The content server then requests from the corresponding contentsharing application, or rights issuer, the access policies associatedwith the content item based on the received information identifying thecontent item. In response to the request, the rights issuer, or thecontent sharing application, sends the requested access policies to thecontent protection server.

Retrieving the access policies includes receiving the access policies ina format recognizable by the content protection server. The accesspolicies are translated into the format recognizable by the contentprotection server by an interface associated with the content sharingapplication, or rights issuer. The access policies in the formatrecognizable by the content protection server are then translated, bythe content protection server, into a format readable, or recognizable,by the DRM engine.

Prior to retrieving the access policies, the content protection serverreceives, from the DRM engine, user credentials for authentication. Thecontent protection server may handle the authentication of usercredentials locally. Alternatively, the content protection serverforwards the user credentials to the content sharing application forauthentication. Once user credential are successfully authenticated, thecontent protection server receives information identifying the contentitem. The content sharing application, or system, is identified based onthe received information identifying the content item.

Also, prior to retrieving the access policies, the content item isencrypted by the content protection server. Encrypting the content itemincludes receiving the content item from the content sharingapplication. An encryption protocol is then determined based on a typeof the received content item. The received content item may bepreprocessed based on the content item format. The content item is thenencrypted based on the determined encryption protocol. The content itemmay further be post-processed based on the content item format. Theencrypted content item is provided the to the user/client device. Thecontent protection server also causes the encrypted content item to beregistered at the DRM engine.

The access policies are dynamic. That is, on a subsequent attempt toaccess the content item at user device, the access policies areautomatically retrieved again from the content sharing application,translated and provided to the DRM engine by the content protectionserver. So, any modification of the access policies by the contentsharing application, or rights issuer, are included in the accesspolicies retrieved by the content protection server upon a subsequentattempt to access the content item.

According to at least one example implementation, the content protectionserver is coupled to two or more DRM engines. The content protectionserver is also coupled to two or more content sharing applications, orsystems.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing will be apparent from the following more particulardescription of example embodiments of the invention, as illustrated inthe accompanying drawings in which like reference characters refer tothe same parts throughout the different views. The drawings are notnecessarily to scale, emphasis instead being placed upon illustratingembodiments of the present invention.

FIG. 1 is a block diagram illustrating a digital rights management(DRM), or Information Rights Management (IRM), system 100, according toat least one example embodiment;

FIG. 2 is a signaling flowchart illustrating communications betweendifferent entities of the DRM system during a publishing phase,according to at least one example embodiment; and

FIG. 3 is a signaling flowchart illustrating communications betweendifferent entities of the DRM system during a consumption phase,according to at least one example embodiment.

DETAILED DESCRIPTION OF THE INVENTION

A description of example embodiments of the invention follows.

Digital rights management (DRM) technologies provide solutions forsecure content sharing, electronic content protection, and user accesscontrol to electronic content. With such solutions, an entity may beable to manage who has the right to access content circulated over theInternet or other digital media, and what kind of rights are granted toeach potential user. Electronic content herein refers to one or moremedia objects, such as, music files, images, video files, textdocuments, or the like.

In a typical DRM system, a rights issuer issues access rights, orpermissions, associated with a content item, or object, and provides theaccess rights to a user device. The DRM rights are enforced at thereceiving user device through a DRM client, or agent. A DRM enginecoupled to the DRM clients is configured to encrypt content items andmanage users and access policies. Each DRM engine typically hasproprietary, or standardized, architecture, protocols, encryptionmethods, policy management and processing methods. The corresponding DRMagents and Rights issuer are expected to be compliant with thespecificities of the DRM engine and the DRM technology employed by theDRM system in general. As such, DRM system employing distinct DRMtechnologies are not interoperable. In order for a user device toconsume protected content by a given DRM system, the user device isexpected to have a complying DRM agent.

Some typical DRM systems do not enable dynamic access policies, and, assuch, access policies may not be modified once they are distributed toDRM agents. Other DRM systems require synchronization between the rightsissuer and the DRM engine.

FIG. 1 is a block diagram illustrating a digital rights management(DRM), or Information Rights Management (IRM), system 100, according toat least one example embodiment. The DRM system 100 includes a contentsharing system, or application, 110, a content protection server 150,one or more rights management services (RMS), servers, also known as DRMengines, e.g., 160˜1-160-n, and a content rendering system, orapplication, 180. The content sharing system 110 is configured to sharecontent 115 with client users. Specifically, the content sharing systemis configured to circulate protected content 185 to user/client devices180 through the content protection server 150 and a RMS server, or a DRMengine, e.g., 160-1, 160-2, . . . , or 160-n.

The content sharing system, or application, 110 is configured to act asa content issuer and a rights issuer. For example, the content sharingsystem 110 includes a content issuer module 112 and a rights issuermodule 118. The content issuer module 112 is configured to circulatecontent 115 over the Internet, or any other communications medium, forsharing with potential users. The rights issuer module 118 is configuredto issue permissions, or access rights, in association with content 115for sharing by the content issuer module 112 with client users. Thecontent issuer module 112 may include, or be coupled to, a contentrepository containing content 115 for sharing. The content issuer module112 and the rights issuer module 118 may reside on the same device,e.g., enterprise server, personal computer, or the like, or on differentdevices.

According to at least one example embodiment, the content protectionserver 150 is coupled to one or more content sharing systems 110 and oneor more RMS servers, or DRM engines, e.g., 160-1-160-n. The contentprotection server 150 represents an intermediate layer, between the DRMengines 160-1-160-n and the content sharing system(s) 110, that isagnostic to the DRM engines 160-1-160-n and the content sharingsystem(s) 110. The middle layer is configured to normalize contentprocessing, irrespective of the content type, and handle contentencryption instead of the DRM engines 160-1-160-n. Specifically, duringa publishing phase, the content protection server 150 is configured toencrypt the content 115, irrespective of the corresponding content type,and provide a corresponding protected, or encrypted, copy 185 of thecontent to the content sharing system 110. The content sharing system110 may then share the encrypted content 185 with client users.

Also, when the client user attempts to access the encrypted content 185,the content protection server 150 acts as an inter-operability layerbetween a RMS server, or a DRM engine, e.g., 160-1, 160-2, . . . , or160-n, and the content sharing system 110 associated with the protectedcontent 185. In other words, during a consumption phase of the protectedcontent 185, the content protection server 150 translates policy objectsreceived from the content sharing system 110, or the rights issuermodule 118, into a format, or language, recognizable by the DRM engine,e.g., 160-1, 160-2, . . . , or 160-n.

According to at least one example embodiment, the content protectionserver 150 provides an interoperability interface between fundamentallydifferent DRM technologies, at the protection layer. That is, the formatand/or language employed in creating the access rights, or permissions,by the rights issuer 118 and the DRM technologies supported by a givenDRM engine may be fundamentally different and non-compliant to eachother's requirements, yet, the content protection server 150 provides aninterface that enables interoperability between the given contentsharing system 110 and a given DRM engine.

The content protection server 150 is configured to support multiple DRMtechnologies and corresponding DRM engines 160-1-160-n. For example, theRMS servers, or DRM engines, 160-1-160-n include a “LiveCycle” serverfrom Adobe, a Microsoft RMS server, and/or other proprietary orstandardized DRM engines. The content protection server 150 is alsoconfigured to support multiple content sharing systems 110.

According to at least one example embodiment, the DRM engines160-1-160-n are used to register documents and reroute access requestsfrom client devices to the content protection server 150. The DRMengines 160-1 160-n do not perform content encryption, user management,nor policy management. However, the content protection server 150 mayemploy software development kits (SDKs) to match the particular DRMtechnology for that DRM engine. Encryption is done at the contentprotection server side, yet the employed encryption techniques areexpected to be compliant with the techniques supported by the DRMengines. When a client user attempts to open the protected content 185,the user device 180 sends a request for corresponding DRM policies, orpermissions, is sent to a corresponding DRM engine. The DRM engineforwards the request to the content protection server 150, whichrequests the DRM policies, or permissions, from the content sharingsystem 110, e.g., from the policy issuer 118. Upon receiving therequested access policies, the content server 150 provides the accesspolicies to the DRM engine, which provides them to the user device to beenforced. In response to each subsequent attempt to open the contentitem again, the same process is repeated and access policies areobtained again from the content sharing application 110, or the rightsissuer 118. Such scheme enables the content sharing application 110, orthe rights issuer 118 to dynamically manage and control the accesspolicies with the certainty that the latest updated version of theaccess policies is employed by a user device attempting to access thecontent item. For example, the content sharing application 110, orrights issuer 118, may update access policies associated with contentitems once the content items and the corresponding policies have beendistributed. The access to already distributed content items may also berevoked by the content sharing application 110, or rights issuer 118.

FIG. 2 is a signaling flowchart illustrating communications betweendifferent entities of the DRM system 100 during a publishing phase,according to at least one example embodiment. The publishing phaserefers to the protection and circulation, or sharing, of a content item.Upon initiating a process of sharing a content item 115, at 205, thecontent item is sent 210 to the content protection server 150.Initiating the process of sharing, or circulating, a content itemincludes, for example, attempting to attach the content item to anemail, attempting to upload or send the content item to a non-securedevice, or the like. The content protection server 150 determines anencryption protocol based on the type and/or format of the content item.For example, for a Microsoft Office document, the content protectionserver selects an encryption protocol that is supported by Microsoftrights management services (MS RMS). However, for a PDF document, anencryption protocol supported by Adobe LiveCycle RMS. The content item115 is then encrypted according to the determined encryption protocol bythe content protection server 150 at 215. The content protection servercauses the encrypted content item 185 to be registered at acorresponding DRM engine at 220. For example, if the content item 115 isa Microsoft Office document, then the corresponding DRM engine is aMicrosoft RMS server. If the content item 115 is a PDF document, thenthe corresponding DRM engine is an Adobe RMS server. According toexample implementation, the content protection server 150 sends apublishing license identification (ID) and information indicative ofexistence access policies associated with content item to the DRM enginefor registering the content item. At 230, the encrypted content item 185is sent to the content sharing application 110. At 240, the contentsharing application 110, or the content issuer 112, shares the encryptedcontent item 185 with one or more user device 180. For example, thecontent sharing application 110 may send the encrypted content item 185to the one or more user devices 180. The content sharing application 110may, alternatively, make the encrypted content item 185 available to theone or more user devices 180, for example, by uploading the encryptedcontent item 185 on the Internet.

FIG. 3 is a signaling flowchart illustrating communications betweendifferent entities of the DRM system during a consumption phase,according to at least one example embodiment. Once the encrypted contentitem 185 is opened, at 305, in the user device 180, informationidentifying the encrypted content item 185 is sent at 310 to acorresponding DRM engine 160. In this case, the corresponding DRM engine160 may be determined based on a rendering application used to open theencrypted content item 185 or DRM agent associated with the encryptedcontent item 185. For example, Microsoft Office will automaticallycontact a MS RMS server. The corresponding DRM engine 160 responds tothe user 180, at 320, with authentication information that isdetermined, for example, based on the information identifying theencrypted content item 185. The authentication information indicateswhat kind of authentication is required for the encrypted document item185.

At 325, the user device 180 provides an authentication window or sessionfor the user, and the user is requested to enter his user credentials.The user credentials are then sent to the content protection server 150for authentication. According to one example implementation, the contentprotection server 150 may handle the authentication locally if, forexample, the content protection server 150 maintains a database ofauthentic user credentials for each user. Alternatively, the usercredentials received by the content protection server are sent to thecontent sharing application 110 for authentication. Once usercredentials are authenticated, an indication of successfulauthentication is sent to the user device 180. Once the user credentialsare authenticated at 325, the user device 180 sends, at 330, theinformation identifying the encrypted content item 185 to the DRM engine160 again. The user device 180 may also send a notification to the DRMengine 160 indicating that user credentials are successfullyauthenticated.

At 340, the DRM engine 160 forwards the information identifying theencrypted content item 185 to the content protection server 150. Thecontent protection server 150 sends a request, at 350, to the contentsharing application 110 requesting access policies, or permissions,based on the information identifying the encrypted content item 185. Thecontent protection server 150 stores, for example, a database mappinginformation identifying content items to corresponding content sharingapplications 110, rights issuers, or corresponding plug-in modules 120.At 355 the plugin module 120 translates the requested access policiesinto a format, or language, recognizable by the content protectionserver 150, and the translated access policies are sent at 360 tocontent protection server 150. Alternatively, the translation to aformat, or language, recognizable by the content protection server 150may be performed by a translation module within, or associated with, thecontent protection server 150.

The plug-in module 120 resides at the content sharing application 110.The plug-in module 120 is implemented, for example, as an application ontop, a plug-in, an extension of the content sharing application 110, orthe like. The plug-in module 120 translates 355 permissions, or DRMpolicies, specific to the content sharing application 110, or thecorresponding rights issuer 118, into a format, or language,recognizable by the content protection server 150. The contentprotection server 150 stores information that enables mapping theencrypted content item 185 to a corresponding content sharingapplication 110, or plug-in module 120. Upon receiving the be able toidentify what content sharing application or plug-in to call for aspecific document in the authorization phase

The content protection server 150 translates, at 365, the accesspolicies into a format, or language, recognizable by the DRM engine 160,and sends 370 the access policies in the format, or language,recognizable by the DRM engine 160 to the DRM engine 160. The DRM engineforwards 380 the access policies received to the user device 180. Theaccess policies are enforced 385 in the user device 180, for example, bya corresponding DRM agent.

The process described with respect to FIG. 3 is performed again witheach subsequent attempt to access the encrypted content item 185 in theuser device 180, and each time, the latest version of the accesspolicies is obtained from the content sharing application and enforcedat the user device 180, therefore enabling dynamic access policies thatare managed by the content sharing application 110, or the rightsissuer.

The content protection server 150 includes a set of applicationprogramming interfaces (APIs), which provide to third parties a publicinterface for accessing functionalities associated with the contentprotection server. Such APIs include analytics APls, policy managementAPIs, document management APIs, and user management APIs. Analytics APlsprovide third parties with access to a set of functions that upon use bya developer of a content sharing application 110 return a set of datawhich represents the information that a user device conveyed to a DRMsystem regarding usage of a content item. Policy management APIs providea third party with access to a set of functions that enables thedeveloper of a content sharing application to manage local policies oraccess rights. Document management APIs provide access to a third partyto a set of functions that enables a developer of a content sharingapplication through a customization module to encrypt content items. Theuser management APIs provide access to the a third party to a set offunctions that helps a developer of a content sharing application toimplement functionality related to managing users in a DRM system 100.

The content protection server 150 has queuing services built-in thatenable processing one or more content items, received for encryption,asynchronously and in a scalable fashion. The content protection server150 also provides encryption services including algorithms and DRMspecific protocols for encrypting content items received by the contentprotection server 150. The content protection server 150 is alsoconfigured to process documents. Specifically, the content protectionserver 150 is configured to provide logic and algorithms to pre-processor post-process content items that are received by the contentprotection server 150 before or after encryption.

According to at least one example embodiment, the content protectionserver 150 is computer cloud server. Alternatively, the contentprotection server 150 is a computer server residing on the same networkas the content sharing application 110. According to yet another exampleembodiment, some modules of the content protection server, e.g., anencryption module for performing encryption, is implemented within thesame computer network as the content sharing application 110, whileother modules are implemented on a cloud computer server.

It should be understood that the example embodiments described above maybe implemented in many different ways. In some instances, the variousmethods and machines described herein may each be implemented by aphysical, virtual or hybrid general purpose or application specificcomputer having a central processor, memory, disk or other mass storage,communication interface(s), input/output (I/O) device(s), and otherperipherals. The general purpose or application specific computer istransformed into the machines that execute the methods described above,for example, by loading software instructions into a data processor, andthen causing execution of the instructions to carry out the functionsdescribed, herein.

As is known in the art, such a computer may contain a system bus, wherea bus is a set of hardware lines used for data transfer among thecomponents of a computer or processing system. The bus or busses areessentially shared conduit(s) that connect different elements of thecomputer system, e.g., processor, disk storage, memory, input/outputports, network ports, etc., that enables the transfer of informationbetween the elements. One or more central processor units are attachedto the system bus and provide for the execution of computerinstructions. Also attached to the system bus are typically I/O deviceinterfaces for connecting various input and output devices, e.g.,keyboard, mouse, displays, printers, speakers, etc., to the computer.Network interface(s) allow the computer to connect to various otherdevices attached to a network. Memory provides volatile storage forcomputer software instructions and data used to implement an embodiment.Disk or other mass storage provides non-volatile storage for computersoftware instructions and data used to implement, for example, thevarious procedures described herein.

Embodiments may therefore typically be implemented in hardware,firmware, software, or any combination thereof.

In certain embodiments, the procedures, devices, and processes describedherein constitute a computer program product, including a computerreadable medium, e.g., a removable storage medium such as one or moreDVD-ROM's, CD-RAM's, diskettes, tapes, etc., that provides at least aportion of the software instructions for the system. Such a computerprogram product can be installed by any suitable software installationprocedure, as is well known in the art. In another embodiment, at leasta portion of the software instructions may also be downloaded over acable, communication and/or wireless connection.

Embodiments may also be implemented as instructions stored on anon-transitory machine-readable medium, which may be read and executedby one or more processors. A non-transient machine-readable medium mayinclude any mechanism for storing or transmitting information in a formreadable by a machine, e.g., a computing device. For example, anon-transient machine-readable medium may include read only memory(ROM); random access memory (RAM); magnetic disk storage media; opticalstorage media; flash memory devices; and others.

Further, firmware, software, routines, or instructions may be describedherein as performing certain actions and/or functions of the dataprocessors. However, it should be appreciated that such descriptionscontained herein are merely for convenience and that such actions infact result from computing devices, processors, controllers, or otherdevices executing the firmware, software, routines, instructions, etc.

It also should be understood that the flow diagrams, block diagrams, andnetwork diagrams may include more or fewer elements, be arrangeddifferently, or be represented differently. But it further should beunderstood that certain implementations may dictate the block andnetwork diagrams and the number of block and network diagramsillustrating the execution of the embodiments be implemented in aparticular way.

Accordingly, further embodiments may also be implemented in a variety ofcomputer architectures, physical, virtual, cloud computers, and/or somecombination thereof, and, thus, the data processors described herein areintended for purposes of illustration only and not as a limitation ofthe embodiments.

While this invention has been particularly shown and described withreferences to example embodiments thereof, it will be understood bythose skilled in the art that various changes in form and details may bemade therein without departing from the scope of the inventionencompassed by the appended claims.

What is claimed is:
 1. A method of updating digital rights management(DRM) access rights as applied to a DRM formatted content item, themethod comprising: receiving, by the content protection server from theDRM engine, a request for access rights for the DRM formatted contentitem when the user device requests access rights from the DRM engine;retrieving, by a content protection server from a content sharingapplication, an updated indicator of access rights associated with thecontent item, wherein the updated access rights indicator is updatedfrom a first access rights indicator when access rights to the contentitem are modified using the content sharing application; translating, byone of the content protection server and the content sharingapplication, the updated indicator of access rights retrieved into a DRMformat recognizable by a DRM engine; and used by the DRM engine to allowpermission for access by a user device to the DRM formatted contentitem.
 2. The method of claim 1 wherein the user device previouslyreceived access rights to the content item through the translation ofthe first access rights indicator by the DRM engine.
 3. The method asrecited in claim 1, wherein retrieving the updated indicator of accessrights includes: receiving information identifying the content item;requesting, from the corresponding content sharing application, theupdated indicator of access rights associated with the content itembased on the received information identifying the content item; andreceiving the access rights requested.
 4. The method as recited in claim3, further comprising determining the corresponding content sharingapplication based on information accessible to the content protectionserver, the accessible information mapping the information identifyingthe content item to the corresponding content sharing application. 5.The method as recited in claim 1, wherein translating the updatedindicator of access rights retrieved into a DRM format recognizable bythe DRM engine includes: first translating the updated indicator ofaccess rights retrieved into a format associated with the contentprotection server; and translating the access rights in the formatassociated with the content protection server into the DRM formatrecognizable by the DRM engine.
 6. The method as recited in claim 1further comprising: receiving an instance of user credentials; andauthenticating the received instance of user credentials based on storedinformation indicative of a corresponding authentic user of a userdevice.
 7. The method as recited in claim 1 further comprising:receiving an instance of user credentials; and forwarding the receivedinstance of user credentials to the content sharing application forauthentication of a user of a user device.
 8. The method as recited inclaim 1, wherein the content protection server is a cloud server.
 9. Themethod as recited in claim 1, wherein the content protection serverresides in a same network as the content sharing application.
 10. Themethod as recited in claim 1 wherein the DRM formatted content item isencrypted.
 11. The method as recited in claim 10, wherein the DRMformatted content item is encrypted by: receiving the content item fromthe content sharing application; determining an encryption protocolbased on a type of the received content item; pre-processing the contentitem by employing one or more pre-determined logic based on the contentitem format encrypting the content item based on the determinedencryption protocol; and post-processing the content item by employingone or more pre-determined logic based on the content item format. 12.An apparatus for managing access to electronic content, the apparatuscomprising: a processor; and a memory with computer code instructionsstored thereon, the processor and the memory, with the computer codeinstructions stored thereon, being configured to: receive from the DRMengine, a request for access rights for the DRM formatted content itemwhen the user device requests access rights from the DRM engine;retrieve from a content sharing application, an updated indicator ofaccess rights associated with a content item, wherein the updated accessrights indicator is updated from a first access rights indicator whenaccess rights to the content item are modified using the content sharingapplication; translate the updated indicator of access rights retrievedinto a DRM format recognizable by a DRM engine; and used by the DRMengine to a allow permission for access by a user device to the DRMformatted content item.
 13. The apparatus of claim 12, wherein the userdevice previously received access rights to the content item through thetranslation of the first access rights indicator by the DRM engine. 14.The apparatus as recited in claim 12, wherein in retrieving the updatedindicator of access rights, the processor and the memory, with thecomputer code instructions stored thereon, being further configured to:receive information identifying the content item; request, from thecorresponding content sharing application, the updated indicator ofaccess rights associated with the content item based on the receivedinformation identifying the content item; and receive the access rightsrequested.
 15. The apparatus as recited in claim 14, wherein inretrieving the updated indicator of access rights, the processor and thememory, with the computer code instructions stored thereon, beingfurther configured to determine the corresponding content sharingapplication based on information accessible to the content protectionserver, the accessible information mapping the information identifyingthe content item to the corresponding content sharing application. 16.The apparatus as recited in claim 12, wherein in translating the updatedindicator of access rights into the DRM format recognizable by the DRMengine, the processor and the memory, with the computer codeinstructions stored thereon, being further configured to: firsttranslate the updated indicator of access rights retrieved into a formatassociated with the apparatus; and translating the access rights in theformat associated with the apparatus into the DRM format recognizable bythe DRM engine.
 17. The apparatus as recited in claim 12, wherein theapparatus is a cloud server.
 18. The apparatus as recited in claim 12,wherein the apparatus resides in a same network as the content sharingapplication.
 19. The apparatus as recited in claim 12, wherein the DRMformatted content item is encrypted.
 20. The apparatus as recited inclaim 19, wherein the processor and the memory, with the computer codeinstructions stored thereon, are configured to: receive the content itemfrom the content sharing application; determine an encryption protocolbased on a type of the received content item; and encrypt the contentitem based on the determined encryption protocol.
 21. The apparatus asrecited in claim 12, wherein the apparatus being coupled to two or moreDRM engines.
 22. The apparatus as recited in claim 12, wherein theapparatus being able to be coupled with two or more user devices orcontent sharing applications.